Screenshot 2017-03-23 at 16.39.04.png

Name of Policy

General Data Protection Regulation (GDPR)

Policy Number

S5

The Three Rivers Trust

Named Person(s)

Mark Tait

Review Committee

Resources

Last review date

Replaced Data Protection

Next review date

Spring 2021

3RLT Letterhead Footer.jpg

Contents:

Statement of intent

  1. Legal framework
  2. Applicable data 
  3. Principles
  4. Accountability
  5. Data protection officer (DPO)
  6. Lawful processing
  7. Consent
  8. The right to be informed
  9. The right of access
  10. The right to rectification
  11. The right to erasure
  12. The right to restrict processing
  13. The right to data portability
  14. The right to object 
  15. Automated decision making and profiling
  16. Privacy by design and privacy impact assessments
  17. Data breaches
  18. Data security
  19. Publication of information 
  20. CCTV and photography 
  21. Data retention
  22. DBS data 
  23. Policy review 

Statement of intent

The Three Rivers Learning Trust is required to keep and process certain information about its staff members and pupils in accordance with its legal obligations under the General Data Protection Regulation (GDPR).

The Trust may, from time to time, be required to share personal information about its staff or pupils with other organisations, mainly the LA, other Trusts and educational bodies, and potentially children’s services.

This policy is in place to ensure all staff and governors are aware of their responsibilities and outlines how the Trust complies with the following core principles of the GDPR.

Organisational methods for keeping data secure are imperative, and The Three Rivers Learning Trust believes that it is good practice to keep clear practical policies, backed up by written procedures.

This policy complies with the requirements set out in the GDPR, which will come into effect on 25 May 2018. The government have confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

Signed by:

Head of School

Date:

Chair of Directors

Date:

  1. Legal framework

  1. This policy has due regard to legislation, including, but not limited to the following:
  1. This policy will also have regard to the following guidance:
  1. This policy will be implemented in conjunction with the following other Trust policies:

  1. Applicable data

  1. For the purpose of this policy, personal data refers to information that relates to an identifiable, living individual, including information such as an online identifier, e.g. an IP address. The GDPR applies to both automated personal data and to manual filing systems, where personal data is accessible according to specific criteria, as well as to chronologically ordered data and pseudonymised data, e.g. key-coded.
  2. Sensitive personal data is referred to in the GDPR as ‘special categories of personal data’, which are broadly the same as those in the Data Protection Act (DPA) 1998. These specifically include the processing of genetic data, biometric data and data concerning health matters.

  1. Principles

  1. In accordance with the requirements outlined in the GDPR, personal data will be:
  1. The GDPR also requires that “the controller shall be responsible for, and able to demonstrate, compliance with the principles”.

  1. Accountability

  1. The Three Rivers Learning Trust will implement appropriate technical and organisational measures to demonstrate that data is processed in line with the principles set out in the GDPR.  
  2. The Trust will provide comprehensive, clear and transparent privacy policies.
  3. [Trusts with over 250 employees only] Additional internal records of the Trust’s processing activities will be maintained and kept up-to-date.
  4. [Trusts with less than 250 employees only] Records of activities relating to higher risk processing will be maintained, such as the processing of special categories data or that in relation to criminal convictions and offences.
  5. Internal records of processing activities will include the following:
  1. The Trust will implement measures that meet the principles of data protection by design and data protection by default, such as:
  1. Data protection impact assessments will be used, where appropriate.

  1. Data protection officer (DPO)

  1. A DPO will be appointed in order to:
  1. An existing employee will be appointed to the role of DPO provided that their duties are compatible with the duties of the DPO and do not lead to a conflict of interests.
  2. The individual appointed as DPO will have professional experience and knowledge of data protection law, particularly that in relation to Trusts.
  3. The DPO will report to the highest level of management at the Trust, which is the Head of School.
  4. The DPO will operate independently and will not be dismissed or penalised for performing their task.
  5. Sufficient resources will be provided to the DPO to enable them to meet their GDPR obligations.

  1. Lawful processing

  1. The legal basis for processing data will be identified and documented prior to data being processed.
  2. Under the GDPR, data will be lawfully processed under the following conditions:
  1. Sensitive data will only be processed under the following conditions:

  1. Consent

  1. Consent must be a positive indication. It cannot be inferred from silence, inactivity or pre-ticked boxes.
  2. Consent will only be accepted where it is freely given, specific, informed and an unambiguous indication of the individual’s wishes.
  3. Where consent is given, a record will be kept documenting how and when consent was given.
  4. The Trust ensures that consent mechanisms meet the standards of the GDPR. Where the standard of consent cannot be met the processing must cease.
  5. Consent accepted under the DPA will be reviewed to ensure it meets the standards of the GDPR; however, acceptable consent obtained under the DPA will not be reobtained.
  6. Consent can be withdrawn by the individual at any time.
  7. Where a child is under the age of 16 [or younger if the law provides it (up to the age of 13)], the consent of parents will be sought prior to the processing of their data, except where the processing is related to preventative or counselling services offered directly to a child.

  1. The right to be informed

  1. The privacy notice supplied to individuals in regards to the processing of their personal data will be written in clear, plain language which is concise, transparent, easily accessible and free of charge.
  2. If services are offered directly to a child, the Trust will ensure that the privacy notice is written in a clear, plain manner that the child will understand.
  3. In relation to data obtained both directly from the data subject and not obtained directly from the data subject, the following information will be supplied within the privacy notice:
  1. Where data is obtained directly from the data subject, information regarding whether the provision of personal data is part of a statutory or contractual requirement, as well as any possible consequences of failing to provide the personal data, will be provided.
  2. Where data is not obtained directly from the data subject, information regarding the categories of personal data that the Trust holds, the source that the personal data originates from and whether it came from publicly accessible sources, will be provided.
  3. For data obtained directly from the data subject, this information will be supplied at the time the data is obtained.
  4. In relation to data that is not obtained directly from the data subject, this information will be supplied:

  1. The right of access

  1. Individuals have the right to obtain confirmation that their data is being processed.
  2. Individuals have the right to submit a subject access request (SAR) to gain access to their personal data in order to verify the lawfulness of the processing.
  3. The Trust will verify the identity of the person making the request before any information is supplied.
  4. A copy of the information will be supplied to the individual free of charge; however, the Trust may impose a ‘reasonable fee’ to comply with requests for further copies of the same information.
  5. Where a SAR has been made electronically, the information will be provided in a commonly used electronic format.
  6. Where a request is manifestly unfounded, excessive or repetitive, a reasonable fee will be charged.  
  7. All fees will be based on the administrative cost of providing the information.
  8. All requests will be responded to without delay and at the latest, within one month of receipt.
  9. In the event of numerous or complex requests, the period of compliance will be extended by a further two months. The individual will be informed of this extension, and will receive an explanation of why the extension is necessary, within one month of the receipt of the request.
  10. Where a request is manifestly unfounded or excessive, the Trust holds the right to refuse to respond to the request. The individual will be informed of this decision and the reasoning behind it, as well as their right to complain to the supervisory authority and to a judicial remedy, within one month of the refusal.
  11. In the event that a large quantity of information is being processed about an individual, the Trust will ask the individual to specify the information the request is in relation to.

  1. The right to rectification 

  1. Individuals are entitled to have any inaccurate or incomplete personal data rectified.
  2. Where the personal data in question has been disclosed to third parties, the Trust will inform them of the rectification where possible.
  3. Where appropriate, the Trust will inform the individual about the third parties that the data has been disclosed to.
  4. Requests for rectification will be responded to within one month; this will be extended by two months where the request for rectification is complex.
  5. Where no action is being taken in response to a request for rectification, the Trust will explain the reason for this to the individual, and will inform them of their right to complain to the supervisory authority and to a judicial remedy.

  1. The right to erasure

  1. Individuals hold the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
  2. Individuals have the right to erasure in the following circumstances:
  1. The Trust has the right to refuse a request for erasure where the personal data is being processed for the following reasons:
  1. As a child may not fully understand the risks involved in the processing of data when consent is obtained, special attention will be given to existing situations where a child has given consent to processing and they later request erasure of the data, regardless of age at the time of the request.
  2. Where personal data has been disclosed to third parties, they will be informed about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
  3. Where personal data has been made public within an online environment, the Trust will inform other organisations who process the personal data to erase links to and copies of the personal data in question.

  1. The right to restrict processing

  1. Individuals have the right to block or suppress the Trust’s processing of personal data.
  2. In the event that processing is restricted, the Trust will store the personal data, but not further process it, guaranteeing that just enough information about the individual has been retained to ensure that the restriction is respected in future.  
  3. The Trust will restrict the processing of personal data in the following circumstances:
  1. If the personal data in question has been disclosed to third parties, the Trust will inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.
  2. The Trust will inform individuals when a restriction on processing has been lifted.

  1. The right to data portability

  1. Individuals have the right to obtain and reuse their personal data for their own purposes across different services.
  2. Personal data can be easily moved, copied or transferred from one IT environment to another in a safe and secure manner, without hindrance to usability.
  3. The right to data portability only applies in the following cases:
  1. Personal data will be provided in a structured, commonly used and machine-readable form.
  2. The Trust will provide the information free of charge.
  3. Where feasible, data will be transmitted directly to another organisation at the request of the individual.
  4. The Trust is not required to adopt or maintain processing systems which are technically compatible with other organisations.
  5. In the event that the personal data concerns more than one individual, the Trust will consider whether providing the information would prejudice the rights of any other individual.  
  6. The Trust will respond to any requests for portability within one month.
  7. Where the request is complex, or a number of requests have been received, the time frame can be extended by two months, ensuring that the individual is informed of the extension and the reasoning behind it within one month of the receipt of the request.
  8. Where no action is being taken in response to a request, the Trust will, without delay and at the latest within one month, explain to the individual the reason for this and will inform them of their right to complain to the supervisory authority and to a judicial remedy.

  1. The right to object

  1. The Trust will inform individuals of their right to object at the first point of communication, and this information will be outlined in the privacy notice and explicitly brought to the attention of the data subject, ensuring that it is presented clearly and separately from any other information.
  2. Individuals have the right to object to the following:
  1. Where personal data is processed for the performance of a legal task or legitimate interests:
  1. Where personal data is processed for direct marketing purposes:
  1. Where personal data is processed for research purposes:
  1. Where the processing activity is outlined above, but is carried out online, the Trust will offer a method for individuals to object online.

  1. Automated decision making and profiling

  1. Individuals have the right not to be subject to a decision when:
  1. The Trust will take steps to ensure that individuals are able to obtain human intervention, express their point of view, and obtain an explanation of the decision and challenge it.
  2. When automatically processing personal data for profiling purposes, the Trust will ensure that the appropriate safeguards are in place, including:
  1. Automated decisions must not concern a child or be based on the processing of sensitive data, unless:

  1. Privacy by design and privacy impact assessments

  1. The Trust will act in accordance with the GDPR by adopting a privacy by design approach and implementing technical and organisational measures which demonstrate how the Trust has considered and integrated data protection into processing activities.
  2. Data protection impact assessments (DPIAs) will be used to identify the most effective method of complying with the Trust’s data protection obligations and meeting individuals’ expectations of privacy.
  3. DPIAs will allow the Trust to identify and resolve problems at an early stage, thus reducing associated costs and preventing damage from being caused to the Trust’s reputation which might otherwise occur.
  4. A DPIA will be carried out when using new technologies or when the processing is likely to result in a high risk to the rights and freedoms of individuals.
  5. A DPIA will be used for more than one project, where necessary.
  6. High risk processing includes, but is not limited to, the following:
  1. The Trust will ensure that all DPIAs include the following information:
  1. Where a DPIA indicates high risk data processing, the Trust will consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR.

  1. Data breaches

  1. The term ‘personal data breach’ refers to a breach of security which has led to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  2. The Head of School/School Business Manager (SBM) will ensure that all staff members are made aware of, and understand, what constitutes a data breach as part of their CPD training.
  3. Where a breach is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed.
  4. All notifiable breaches will be reported to the relevant supervisory authority within 72 hours of any member of the Trust becoming aware of it.
  5. The risk of the breach having a detrimental effect on the individual, and the need to notify the relevant supervisory authority, will be assessed on a case-by-case basis.
  6. In the event that a breach is likely to result in a high risk to the rights and freedoms of an individual, the Trust will notify those concerned directly.
  7. A ‘high risk’ breach means that the threshold for notifying the individual is higher than that for notifying the relevant supervisory authority.
  8. In the event that a breach is sufficiently serious, the public will be notified without undue delay.
  9. Effective and robust breach detection, investigation and internal reporting procedures are in place at the Trust, which facilitate decision-making in relation to whether the relevant supervisory authority or the public need to be notified.
  10. Within a breach notification, the following information will be outlined:
  1. Failure to report a breach when required to do so may result in a fine, as well as a fine for the breach itself.

  1. Data security

  1. Confidential paper records will be kept in a locked filing cabinet, drawer or safe, with restricted access.
  2. Confidential paper records will not be left unattended or in clear view anywhere with general access.
  3. Digital data is coded, encrypted or password-protected, both on a local hard drive and on a network drive that is regularly backed up off-site.
  4. Where data is saved on removable storage or a portable device, the device will be kept in a locked filing cabinet, drawer or safe when not in use.
  5. Memory sticks will not be used to hold personal information unless they are password-protected and fully encrypted.
  6. All electronic devices are password-protected to protect the information on the device in case of theft.
  7. Where possible, the Trust enables electronic devices to allow the remote blocking or deletion of data in case of theft.
  8. Staff and governors will not use their personal laptops or computers to store personal data. 
  9. All necessary members of staff are provided with their own secure login and password, and every computer regularly prompts users to change their password.
  10. Emails containing sensitive or confidential information are password-protected if there are unsecure servers between the sender and the recipient.
  11. Circular emails to parents are sent blind carbon copy (bcc), so email addresses are not disclosed to other recipients.
  12. When sending confidential information by fax, staff will always check that the recipient is correct before sending.
  13. Where personal information that could be considered private or confidential is taken off the premises, either in electronic or paper format, staff will take extra care to follow the same procedures for security, e.g. keeping devices under lock and key. The person taking the information from the Trust premises accepts full responsibility for the security of the data.
  14. Before sharing data, all staff members will ensure:
  1. Under no circumstances are visitors allowed access to confidential or personal information. Visitors to areas of the Trust containing sensitive information are supervised at all times.
  2. The physical security of the Trust’s buildings and storage systems, and access to them, is reviewed on a termly basis. If an increased risk in vandalism/burglary/theft is identified, extra measures to secure data storage will be put in place.
  3. The Three Rivers Learning Trust takes its duties under the GDPR seriously and any unauthorised disclosure may result in disciplinary action.
  4. The Trust’s School Business Manager (SBM)/ICT Services Manager is responsible for continuity and recovery measures are in place to ensure the security of protected data.

  1. Publication of information

  1. The Three Rivers Learning Trust publishes a publication scheme on its website outlining classes of information that will be made routinely available, including:
  1. Classes of information specified in the publication scheme are made available quickly and easily on request.
  2. The Three Rivers Learning Trust will not publish any personal information, including photos, on its website without the permission of the affected individual.
  3. When uploading information to the Trust website, staff are considerate of any metadata or deletions which could be accessed in documents and images on the site.

  1. CCTV and photography

  1. The Trust understands that recording images of identifiable individuals constitutes as processing personal information, so it is done in line with data protection principles.
  2. The Trust notifies all pupils, staff and visitors of the purpose for collecting CCTV images via notice boards, letters and email.
  3. Cameras are only placed where they do not intrude on anyone’s privacy and are necessary to fulfil their purpose.
  4. All CCTV footage will be kept for 28 days for security purposes; the Trust’s School Business Manager (SBM) is responsible for keeping the records secure and allowing access.
  5. The Trust will always indicate its intentions for taking photographs of pupils and will retrieve permission before publishing them.
  6. If the Trust wishes to use images/video footage of pupils in a publication, such as the Trust website, prospectus, or recordings of Trust plays, written permission will be sought for the particular usage from the parent of the pupil.
  7. Precautions, are taken when publishing photographs of pupils, in print, video or on the Trust’s websites.  
  8. Images captured by individuals for recreational/personal purposes, and videos made by parents for family use, are exempt from the GDPR.

  1. Data retention

  1. Data will not be kept for longer than is necessary.  
  2. Unrequired data will be deleted as soon as practicable.
  3. Some educational records relating to former pupils or employees of the Trust may be kept for an extended period for legal reasons, but also to enable the provision of references or academic transcripts.
  4. Paper documents will be shredded or pulped, and electronic memories scrubbed clean or destroyed, once the data should no longer be retained.

  1. DBS data

  1. All data provided by the DBS will be handled in line with data protection legislation; this includes electronic communication.
  2. Data provided by the DBS will never be duplicated.
  3. Any third parties who access DBS information will be made aware of the data protection legislation, as well as their responsibilities as a data handler.

  1. Policy review
  1. This policy is reviewed every two years by the Trust’s School Business Manager (SBM) and the Head of School.

The next scheduled review date for this policy is January 2020.